How to Tell If You Have Ransomware?

Featured article by Alex Tray

Ransomware is on the loose in 2021. The statistics reflect skyrocketing incidents. A ransomware attack has been taking place every 11 seconds in 2021. One of the reasons for such a high number of ransomware attacks is a switch to the remote environment. According to Upwork, 26.7% of the workforce operate remotely in 2021, and by 2025 the number of remote workers is expected to double. Remote work offers an ample opportunity for cyber criminals to exercise their craft. According to Security Magazine, remote workers can become a major focus of cyber criminals in 2021.

Small and large businesses have already fallen victim to hackers with the largest payout being $40 million dollars, and the year is not over yet! Ransomware attacks do significant damage to the companies, the worst of which are downtime and lost revenue. It has been estimated that the average downtime caused by a ransomware attack is 21 days. Can you afford to stay out of business that long? Ransomware attacks bring profound disruptions and huge revenue losses to the affected companies. Fortunately, you can prevent ransomware attacks by detecting ransomware on your machine while the attempt is still in the early stages. Let’s look at the main vectors  and symptoms of ransomware and what you can do to keep your data protected.

How to Know If You Have Ransomware

As soon as a cyber criminal comes up with a plan to attack your computer, the clock starts ticking. Once the plan turns to action, it’s your turn to react quickly by catching the intruder in the early stages of the attack. To do so, you need to know how to identify the early and late cues. You should understand how to spot a phishing email and be familiar with the basic software the hacker may use to attack your device. For this reason, let’s look at the signs of ransomware that should raise a red flag once you notice them.

#1 You can’t open a file

When ransomware attacks your system, it can freeze your files. If your file is corrupted, it may not respond when you click on it or attempt to open it. A non-responsive file is a bad sign. It can indicate that your computer is infected by ransomware.

#2 Weird or changed file names

During the attack, cyber criminals can encrypt some or all of your files and make them inaccessible. A sign of a corrupted file is a changed filename or extension.  The common file extensions are txt, pdf, doc, jpg, odt etc. Since there are numerous file extensions, it would be hard to memorize all of them. Check out the file extension list if you’re not sure about an extension. Sophisticated ransomware can often change file names as well. Or, on the contrary, it can infect unnoticed without leaving a trace.

#3 Compromised web browser

Ransomware can encrypt your browser just as it encrypts your files. In this case, a ransomware message informs you that your browser is locked. Other symptoms of a compromised browser may include unwanted pop-ups, messages, unknown browser extensions and a changed homepage.

#4 Suspicious network scanners

There are five attack phases that cyber criminals go through to attack your network:

1. Reconnaissance

2. Scanning

3. Gaining Access

4. Maintaining Access

5. Covering tracks

During the reconnaissance stage, hackers choose the target and explore all ways of launching the attack. Afterwards, the scanning phase can take place, during which cyber criminals test your network for open ports. Vulnerabilities within the open ports can be used as an entry point for an attack.  Hackers can use such tools as Nmap to run network scans. To scan your network while invisible, attackers can run slow scans. This involves sending probe packets only during certain hours.

But how do you know that your network is targeted by a network scanner? Logwatchand Swatch are motoring tools you can use to detect Nmap. However, there is no guarantee that your efforts are going to be successful. Generally, if you notice a large number of requests to multiple IP ports, this can be a sign that your network is being monitored.

#5 Ransomware message with a timer

Seeing a ransomware message is a bad sign. It means that hackers have managed to compromise your machine and that you have missed the early clues. At this point, your data is locked, and you can see a ransom request note on your screen. The note may include the amount of the ransom, due date and a countdown clock.

#6 Credential harvest with Mimikatz

Mimikatz running on your machine indicates the late stage of a ransomware attack. To run this tool cybercriminals need to have administrative privileges. Mimikatz is a tool that helps the attackers to harvest credentials and log in to the victim’s machine with those credentials. Mimikatz can bypass cracking the stolen passwords by transferring and using them as hashes. Before extracting the credentials, hackers need to create an LSASS memory dump. To do so, they often use Task Manager and Microsoft Process Explorer along with Minikatz.

#7 Security removal with Process Hacker

Process Hacker is a tool that allows you to see all apps you currently have on your machine and the amount of resources those apps take up. If you see Process Hacker running, it means that the attacker is about to identify and remotely remove the security software from your computer. This is an advanced stage of a ransomware attack, the final goal of which is to insert a malicious payload.

#8 BloodHound and Active Directory (AD) invasion

BloodHound is an app that uses a special kind of graphical database called Neo4j.Hackers use Neo4j to build relations between objects with the help of links. By using BloodHound, hackers can find the quickest path to the AD domain.

#9 Mini attacks to test the waters

As a rule, experienced cybercriminals perform a series of small attacks before launching the major one. Sometimes attackers take one step at a time. They move forward slowly to make sure the victim doesn’t become too suspicious. Some attacks may take weeks or even months! However, you should raise the alarm as soon as you have noticed any suspicious activity and take all precautions to stop it.

Ransomware Main Vectors

It’s important to watch out for ransomware signs to keep your data safe. However, it’s also critical that you know which routes the hackers use to deliver ransomware to your machine. The three main ransomware vectors are:

1. Phishing mail — This is the main source of ransomware infection. Attackers can change just one letter of your supervisor’s email address. You may not notice it and open the email’s attachment or click the link that leads to the infected website. Alternatively, you can mistakenly grant access to critical files by accepting a fabricated permission or authentication request. The last one is especially dangerous. It gives hackers immediate access to your data, and they can do with it whatever they please.

2. Remote Desktop Protocol (RDP) — RDP is a Microsoft tool used to manage Windows PCs. Employees that work remotely use RDP to access their office machines from home or any place in the world. At the same time, experienced cyber criminals can easily identify vulnerabilities in the RDP network and use them to initiate the attack. Hackers use network scanners to get access to the network credentials. That’s why you need to keep your RDP connection secure by changing ports and using multi-factor authentication.

3. Software vulnerabilities — To make sure the attack is successful, cyber criminals carefully explore all possible vulnerabilities in your software. If you have an old issue without a patch, this can lead to a cyber hazard. Software vulnerabilities include code imperfections, XML data leaks, authentication and session timing flaws, lack of access control, and inaccurate default settings. The top 25 vulnerabilities in 2021 are listed here. Generally, software vulnerabilities are listed in the Common Vulnerabilities and Exposures (CVE) database. Presently, the list contains 173010 CVEs. You can enter the CVE number into the search engine to find details about a certain vulnerability. For example, the EternalBlue exploit number is  CVE–2017-0144. It was first used in 2016 for remote code execution.

How to Check for Ransomware?

Now that we’ve covered the main vectors and signs of ransomware, let’s look at preventive measures. Let’s go over what you can do to monitor your infrastructure and protect your environment from ransomware.

1. Make sure your email is from a legitimate person

2. Scan files and extensions for possible changes

3. Be cautious about any email asking for authentication

4. Question any link that redirects you to a website

5. Don’t download attachments without verification

6. Report unwanted pop-ups and browser issues

7. Check that malicious software has not been installed

8. Monitor your network for foreign network scanners

9. Use antivirus protection tools

10. Change ports in your RDP network

11. Employ multi-step authentication

12. Identify software issues and apply patches

When Backups Can Save the Day

If you were cautious and took all the measures described above, but the attack has taken place, don’t be discouraged. Today, cyber criminals use high-tech tools and top tactics to execute their attacks successfully. At this point, you need to decide whether to pay the ransom or restore your data from backups. Remember, even if you pay the requested sum, there is never a guarantee that you get your data back safe and unaltered. Cybercriminals may sell your data on the dark web even if you agree to pay the ransom.

Backups can help you restore your data and avoid downtime if you get hit by ransomware. Moreover, backup solutions with replication and disaster recovery enable you to instantly failover to a recovery site and continue to run operations during an attack. An efficient backup solution can help you protect your data no matter the infrastructure you use — virtual, cloud, physical or SaaS. Furthermore, prepare for potential ransomware attacks by following the 3-2-1 approach. This tried and tested approach involves keeping three backup copies — two onsite and one offsite or in a remote location.

Conclusion

Cyber criminals are getting more skillful by the day. However, they still leave traces. Your job is to know the signs of ransomware and monitor your machines for potential attack. Make sure your mailboxes are free of phishing emails. If you do suspect cyber activity, but you are not certain what to do, report it immediately and ask for help. Use tools, such as antivirus and network scanners to identify possible threats on your computer and network. Software bugs are of the highest concern! Unfixed, they turn into entry points for malicious actors. Therefore, check your software for vulnerabilities and apply patches as soon as you find an issue. Lastly, back up your data at all times! Backups ensure the safety and recoverability of your data no matter the scenario. Back up your physical, virtual and SaaS environments to ensure the full recovery of your data after a ransomware attack.

NAKIVO Backup & Replication is an affordable, lightweight and user-friendly solution that can help you recover your physical, virtual and SaaS data after a ransomware attack. NAKIVO Backup & Replication offers fast incremental and consistent backups along with efficient disaster recovery options. To learn more about protecting your data with NAKIVO Backup & Replication, click here.

About the Author

Alex Tray is a system administrator with ten years of experience in the tech field. After receiving a Bachelor’s degree in Computer Science, he worked as System Administrator at multiple Silicon Valley companies and helped launch several startups. His primary expertise is Windows Server and Desktop Administration with extensive knowledge of Azure, Active Directory, Office365, DNS, DHCP, Group Policy, Endpoint Manager (Intune) and Microsoft Endpoint Configuration Manager (SCCM).